Inject DLL under ring0

Recently, I am working on something that needs to intercept process initiation and inject DLL under ring0 (DLL is used to hook the API under ring3). There are many implementation methods. Here we use the idea provided by sudami, the reference code provided by another hero. Although this item has no technical knowledge, it is still a long time for people like me who are just getting started with the kernel to make it out. There are many blue screens and many details need to be paid attention.

Idea: the process isEmpty kettleThere is no boiling hot water (threads) in it, so the system calls ntcreatethread to create the main thread (inject water to the empty water bottle-
Liangshui). After a while in this paused thread, the system jumped out and went back to the process space and called kernel32.dll to notify CSRSS. EXE, said to it: "There is a new process born here, you mark it in your table ". Then we start to load the DLL and map all the DLL in the knowndlls system to this large kettle. Then, kithreadstartup heated the cold water in the kettle, and the water started.BoilingNow, the main thread starts to work...

Intercept ntcreatethread and obtainCurrent thread ContextSave the address to be returned (will return to the empty kettle), hijack the address we allocated ourselves, and fill shellcode in it to load the destination DLL. There are many ideas for choosing buffer. Attach the current process in a simple way. Allocate a small memory of your own to the virtual 2 GB process address space, which is enough to put shellcode. As follows:

Code: ugly

Export (outphandle threadhandle, includesiredaccess, incluobjectattributes optional, inhandle processhandle, incluclientid, inpcontext threadcontext, incluinitialteb, inboolean identifier) {incluoldntcreatethread = (response) systemserviceaddr [Response]; if (ishandleexist (processhandle) {charprocessname [16]; ntstatu Sobjectstatus; prkprocesspprocess; pobject_type failed; ntstatusresultstatus; dbuplint ("createthread (% 08x, % 08x, % 08x, % 08x, % 08x, % 08x, % 08x, % 08x) \ n ", threadhandle, desiredaccess, objectattributes, processhandle, clientid, threadcontext, initialteb, createsuincluded); conditions = NULL; // obtain the eprocess object objectstatus = processing (processhandle, process_all_access, psprocesstype, usermode, (pvoid *) & Pprocess, null); If (objectstatus = STATUS_SUCCESS) {// processname = (char *) pprocess + 0X174; rtlstringcbcopya (processname, 16, (char *) pprocess + 0X174); _ strlwr (processname); // process name to lowercase if (strstr (processname, istme) {ntstatus allocstatus; uchar * baseaddr; size_t regionsize; ulong win32startaddr; ulong loadlibraryaddr; regionsize = 100; baseaddr = NULL; psprocesstype = NULL; kapc_state apcstate; loadlibraryaddr = G_A Ddrinfo. loadlibraryaddr; If (threadcontext) {win32startaddr = threadcontext-> eax; If (! Win32startaddr) {dbuplint ("win32startaddr not set \ n");} else {// switch context kedetachprocess (); keattachprocess (pprocess ); // allocating memory with page_execute_readwrite access rights // keunstackdetachprocess (& apcstate); // kestackattachprocess (pprocess, & apcstate); allocstatus = assign (ntcurrentprocess (), (pvoid *) & baseaddr, 0, & regionsize, mem_commit, page_execute_readwrite); If (allocstatus! = STATUS_SUCCESS) {dbuplint ("fail to allocate memory! Allocstatus = 0x % x \ n ", allocstatus);} else {ulong offset = 0; ulong offsetstraddr = 0; dbuplint (" memory allocation OK! Baseaddr = 0x % x \ n ", baseaddr); baseaddr [offset] = 0x68; // push0xxxxxxxxx ++ offset; offsetstraddr = offset; offset ++ = 4; baseaddr [offset] = 0xbb; // mov EBX, loadlibraryaddr ++ offset; * (ulong *) (baseaddr + offset) = loadlibraryaddr; offset + = 4; baseaddr [offset] = 0xff; // call EBX ++ offset; baseaddr [offset] = 0xd3; ++ offset; baseaddr [offset] = 0xb8; // mov eax, win32startaddr ++ offset; * (ulong *) (baseaddr + offset) = win32startaddr; offset + = 4; baseaddr [offset] = 0x50; // push eax ++ offset; baseaddr [offset] = 0xc3; // RET ++ offset; * (ulong *) (baseaddr + offsetstraddr) = (ulong) (baseaddr + offset ); // parameter for loadlibrary // tsetkey. DLL // memcpy (baseaddr + offset, "tsetkey. DLL ", strlen (" tsetkey. DLL ") + 1); memcpy (baseaddr + offset, g_addrinfo.dllpath, sizeof (g_addrinfo.dllpath); dbuplint (" <eax: 0x % 08x> \ n ", win32startaddr ); win32startaddr = (ulong) baseaddr;} // end zwallocatevirtualmemory // switch context kedetachprocess (); // set win32startaddrthreadcontext-> eax = win32startaddr ;}} // end threadconextobdereferenceobject (pprocess);} // end strstrremovehandle (processhandle);} // end objelse {dbuplint ("fail to refernceobject. stopping injecting technique. \ n ") ;}}// end ishandleexist; return oldntcreatethread (threadhandle, desiredaccess, objectattributes, processhandle, clientid, threadcontext, initialteb, createsuincluded );}

For a multi-threaded environment of a process, a linked list is used to maintain the Process Handle, hook zwcreateprocessex, add the handle in it, and delete it in createthread.